Article : firewalld


# systemctl status firewalld

# systemctl start|stop firewalld
# systemctl enable|disable firewalld

# firewall-cmd --get-active-zones
# firewall-cmd --get-zones

# firewall-cmd --zone=public --list-all

# firewall-cmd --set-default-zone=home
# firewall-cmd --set-default-zone=home --permanent

# firewall-cmd --zone=public --add-service=http
# firewall-cmd --zone=public --add-service=http --permanent

# firewall-cmd --zone=public --remove-service=http
# firewall-cmd --zone=public --remove-service=http --permanent

# firewall-cmd --zone=public --add-port=443/tcp
# firewall-cmd --zone=public --add-port=443/tcp --permanent

# firewall-cmd --zone=public --remove-port=443/tcp
# firewall-cmd --zone=public --remove-port=443/tcp --permanent

# firewall-cmd --zone=public --list-all

# firewall-cmd --new-zone=ZONE-NAME
# firewall-cmd --zone=ZONE-NAME --change-interface=
# firewall-cmd --zone=ZONE-NAME --set-target=
# firewall-cmd --zone=ZONE-NAME --add-source=192.168.2.15
# firewall-cmd --zone=ZONE-NAME --list-sources
# firewall-cmd --zone=ZONE-NAME --remove-source=
# firewall-cmd --get-zones
# firewall-cmd --runtime-to-permanent

# === Forwarding ===
# To redirect a port to another port at a different IP address:
# firewall-cmd --add-forward-port=port=port-number:proto=tcp|udp:toport=port-number:toaddr=IP/mask
# firewall-cmd --add-masquerade
# To redirect the port:
# Redirect the port 80 to port 88 for TCP traffic:
# firewall-cmd --add-forward-port=port=80:proto=tcp:toport=88
# Make the new settings persistent:
# firewall-cmd --runtime-to-permanent
# Check that the port is redirected:
# firewall-cmd --list-all

# firewall-cmd --remove-forward-port=port=port-number:proto=:toport=port-number:toaddr=
# firewall-cmd --remove-masquerade
# firewall-cmd --runtime-to-permanent

# === ICMP ===
# firewall-cmd --get-icmptypes
# firewall-cmd --info-icmptype=
# firewall-cmd --query-icmp-block=
# firewall-cmd --add-icmp-block=
# firewall-cmd --remove-icmp-block=
# firewall-cmd --set-target=DROP
# firewall-cmd --runtime-to-permanent
# firewall-cmd --runtime-to-permanent

# To block and drop certain ICMP requests and allow others:
# Set the target of your zone to DROP:
# firewall-cmd --set-target=DROP
# Add the ICMP block inversion to block all ICMP requests at once:
# firewall-cmd --add-icmp-block-inversion
# Add the ICMP block for those ICMP requests that you want to allow:
# firewall-cmd --add-icmp-block=
# Make the new settings persistent:
# firewall-cmd --runtime-to-permanent
# The block inversion inverts the setting of the ICMP requests blocks, so all requests, that were not previously blocked, are blocked. Those that were blocked are not blocked. Which means that if you need to unblock a request, you must use the blocking command.
# To revert this to a fully permissive setting:
# Set the target of your zone to default or ACCEPT:
# firewall-cmd --set-target=default
# Remove all added blocks for ICMP requests:
# firewall-cmd --remove-icmp-block=
# Remove the ICMP block inversion:
# firewall-cmd --remove-icmp-block-inversion
# Make the new settings persistent:
# firewall-cmd --runtime-to-permanent
# firewall-cmd --reload